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Independent Auditors’ Report on Compliance for Each Major Federal Program; Report on Internal 
Control over Compliance; and Report on Schedule of Expenditures of Federal Awards Required by 
the Uniform Guidance 


Fiscal and Management Control Board 
Massachusetts Bay Transportation Authority: 


Report on Compliance for Each Major Federal Program 


We have audited the Massachusetts Bay Transportation Authority’s (the Authority or MBTA), a component unit 
of the Massachusetts Department of Transportation, compliance with the types of compliance requirements 
described in the U.S. Office of Management and Budget (OMB) Compliance Supplement that could have a 
direct and material effect on each of the Authority's major federal programs for the year ended June 30, 2016. 
The Authority’s major federal programs are identified in the summary of auditors’ results section of the 
accompanying schedule of current year findings and questioned costs (Exhibit IV). 


Management's Responsibility 


Management is responsible for compliance with the federal statutes, regulations, and terms and conditions of 
its federal awards applicable to its federal programs. 


Auditors’ Responsibility 


Our responsibility is to express an opinion on compliance for each of the Authority’s major federal programs 
based on our audit of the types of compliance requirements referred to above. We conducted our audit of 
compliance in accordance with auditing standards generally accepted in the United States of America; the 
standards applicable to financial audits contained in Government Auditing Standards, issued by the Comptroller 
General of the United States; and Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative 
Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance). Those 
standards and the Uniform Guidance require that we plan and perform the audit to obtain reasonable 
assurance about whether noncompliance with the types of compliance requirements referred to above that 
could have a direct and material effect on a major federal program occurred. An audit includes examining, ona 
test basis, evidence about the Authority’s compliance with those requirements and performing such other 
procedures as we considered necessary in the circumstances. 


We believe that our audit provides a reasonable basis for our opinion on compliance for each major federal 
program. However, our audit does not provide a legal determination of the Authority’s compliance. 


Opinion on Each Major Federal Program 


In our opinion, the Authority complied, in all material respects, with the types of compliance requirements 
referred to above that could have a direct and material effect on each of its major federal programs for the year 
ended June 30, 2016. 
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Other Matters 


The results of our auditing procedures disclosed instances of noncompliance, which are required to be reported 
in accordance with the Uniform Guidance and which are described in the accompanying schedule of findings 
and questioned costs as items 2016-005 and 2016-006. Our opinion on each major federal program is not 
modified with respect to these matters. 


The Authority’s responses to the noncompliance findings identified in our audit is described in the 
accompanying schedule of findings and questioned costs. The Authority's responses were not subjected to the 
auditing procedures applied in the audit of compliance and, accordingly, we express no opinion on the 
responses. 


Report on Internal Control over Compliance 


Management of the Authority is responsible for establishing and maintaining effective internal control over 
compliance with the types of compliance requirements referred to above. In planning and performing our audit 
of compliance, we considered the Authority’s internal control over compliance with the types of compliance 
requirements that could have a direct and material effect on a major federal program to determine the auditing 
procedures that are appropriate in the circumstances for the purpose of expressing an opinion on compliance 
for each major program and to test and report on internal control over compliance in accordance with the 
Uniform Guidance, but not for the purpose of expressing an opinion on the effectiveness of internal control over 
compliance. Accordingly, we do not express an opinion on the effectiveness of the Authority’s internal control 
over compliance. 


A deficiency in internal control over compliance exists when the design or operation of a control over 
compliance does not allow management or employees, in the normal course of performing their assigned 
functions, to prevent, or detect and correct, noncompliance with a type of compliance requirement of a federal 
program on a timely basis. A material weakness in internal control over compliance is a deficiency, or 
combination of deficiencies, in internal control over compliance, such that there is a reasonable possibility that 
material noncompliance with a type of compliance requirement of a federal program will not be prevented, or 
detected and corrected, on a timely basis. A significant deficiency in internal control over compliance is a 
deficiency, or a combination of deficiencies, in internal control over compliance with a type of compliance 
requirement of a federal program that is less severe than a material weakness in internal control over 
compliance, yet important enough to merit attention by those charged with governance. 


Our consideration of internal control over compliance was for the limited purpose described in the first 
paragraph of this section and was not designed to identify all deficiencies in internal control over compliance 
that might be material weaknesses or significant deficiencies and therefore, material weaknesses or significant 
deficiencies may exist that were not identified. We did not identify any deficiencies in internal control over 
compliance that we consider to be material weaknesses. However, we identified certain deficiencies in internal 
control over compliance, as described in the accompanying schedule of findings and questioned costs as items 
2016-005 and 2016-006 that we consider to be significant deficiencies. 


The Authority’s responses to the internal control over compliance findings identified in our audit is described in 
the accompanying schedule of findings and questioned costs. The Authority’s responses were not subjected to 
the auditing procedures applied in the audit of compliance and, accordingly, we express no opinion on the 
responses. 


The purpose of this report on internal control over compliance is solely to describe the scope of our testing of 
internal control over compliance and the results of that testing based on the requirements of the Uniform 
Guidance. Accordingly, this report is not suitable for any other purpose. 
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Report on Schedule of Expenditures of Federal Awards Required by Uniform Guidance 


We have audited the financial statements of the Authority as of and for the year ended June 30, 2016, and 
have issued our report thereon dated December 15, 2016, which contained an unmodified opinion on those 
financial statements. Our audit was conducted for the purpose of forming an opinion on the financial statements 
as a whole. The accompanying schedule of expenditures of federal awards is presented for purposes of 
additional analysis as required by the Uniform Guidance and is not a required part of the financial statements. 
Such information is the responsibility of management and was derived from and relates directly to the 
underlying accounting and other records used to prepare the financial statements. The information has been 
subjected to the auditing procedures applied in the audit of the financial statements and certain additional 
procedures, including comparing and reconciling such information directly to the underlying accounting and 
other records used to prepare the financial statements or to the financial statements themselves, and other 
additional procedures in accordance with auditing standards generally accepted in the United States of 
America. In our opinion, the schedule of expenditures of federal awards is fairly stated in all material respects in 
relation to the financial statements as a whole. 


KPMG LEP 


Boston, Massachusetts 
March 29, 2017 
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Expenditures, 


Federal net of transfers 
catalog July 1, 2015 - 
Grant number number Program description June 30, 2016 
U.S. Department of Justice: 
Federal Equitable Sharing Program: 
MA-03-2500 16.922 Federal Equity Sharing Program $ 30,798 
Total U.S. Dept. of Justice 30,798 
U.S. Department of Transportation: 
Passed through the MassDOT: 
Federal Highway Administration 
FHWA - Section 130: 
$14001 20.205 Knowledge Corridor-Grade Crossings 218,549 
Total Highway Planning and Construction Cluster 218,549 
Federal Transit — Capital Investment Grants Program: 
MA-03-0281 20.500 Auburndale Access Improvements 173,684 
MA-03-0292 20.500 Fitchburg CR Improvements 7,820,027 
MA-04-0019 20.500 Hingham Intermodal & Harbor Park 1,168,256 
MA-04-0025 20.500 Quincy High Speed Catamaran 1,329,814 
MA-04-0048 20.500 Hingham Intermodal Center 1,130,847 
MA-04-0052 20.500 Hingham Ferry Dock 48,485 
MA-04-0053 20.500 Auburndale Station Design 174,966 
MA-04-0054 20.500 Rockport Comm. Rail Station 57,767 
MA-04-0064 20.500 Auburndale Fiber Optic Cable Installation 27,206 
MA-04-0077 20.500 FY 13 Bus Procurement 215,872 
MA-05-0103 20.500 FY07 Station Management Proj. 2,517,247 
MA-05-0105 20.500 FY07 Comm. Rail Vehicle Service 32,082,676 
MA-05-0109 20.500 Green Line #7 Car 15,029,820 
MA-05-0111 20.500 Columbia Junction 113 
MA-05-0115 20.500 FY 10 Red Line # 2 Car Overhaul 781,208 
MA-05-0120 20.500 Coach Reliability & Safety Prog. 836,399 
MA-05-0121 20.500 MBTA Power Program 2,900,859 
MA-05-0128 20.500 FY 2013 Infrastructure Impvs. 668,076 
MA-05-0129 20.500 Positive Train Control Ph. 1 494,496 
MA-55-0004 20.500 Assembly Square Project (5,090) 
MA-55-0005 20.500 Worcester-Boston Rail Corridor Improvement 2,776,787 
Subtotal #20.500 Direct Program 70,229,515 
Passed through the Rhode Island Department of Transportation: 
Federal Transit — Capital Investment Grants Program: 
RI-X12-X001 (90RI12) 20.500 Pawtucket Inspection Pit 349,282 
Subtotal #20.500 Pass-through 349,282 
Total #20.500 70,578,797 
Federal Transit — State of Good Repair Grants Program: 
MA-54-0001 20.525 Green Line No. 8 Car Enhancements 1,338,542 
MA-54-0002 20.525 FY 14 Bridge Program 1,017,410 
MA-54-0003 20.525 FY 13 AFC IT Upgrades 823,107 
MA-54-0005 20.525 MBTA Winter Resiliency Program 30,400,231 
MA-54-0006 20.525 MBTA Bridge and Tunnel Program 28,970,750 
Total # 20.525 62,550,040 
Federal Transit Formula Grants Program: 
MA-90-0331 20.507 FY99 Sec 5307 Infrastructure 173,887 
MA-90-0515 20.507 New Blue Line Cars 1,255,163 
MA-90-0516 20.507 Public Address/Electronic Sign 40,751 
MA-90-0552 20.507 Orange Line Upgrades 160,793 
MA-90-0576 20.507 Orange Line Journal Bearing Replacement 1,595 
MA-90-0577 20.507 175 Buses/Fairmount Line (GANS) 266,831 
MA-90-0589 20.507 Everett Shop Equipment 948,454 
MA-90-0590 20.507 IT System/NR Vehicle GL PTC 1,307,827 
MA-90-0591 20.507 FY 2010 Loco & Coach Procurement 30,197,933 
MA-90-0600 20.507 MBTA Power Program 6,283,469 
MA-90-0609 20.507 FY 2012 Bridge Program 3,815,308 
MA-90-0617 20.507 Science Park Station Project 237,402 
MA-90-0618 20.507 Haverhill Line Double Track 1,591,800 
MA-90-0621 20.507 Red & Orange Line Vehicle Prev. Maint. 5,399,158 
MA-90-0622 20.507 Orient Heights Station 68,398 
MA-90-0631 20.507 Orient Heights Station 899,135 
MA-90-0641 20.507 192 ECD Bus Midlife Overhaul 3,287,154 
MA-90-0644 20.507 FY 2013 Infr Improvements B 5,377,933 
MA-90-0649 20.507 Government Center Reconstruction 37,107,337 
MA-90-0711 20.507 Red Line Signals Upgrade 5,265,080 
MA-90-0712 20.507 FY 2015 Preventive Maintenance 4,000,000 
MA-90-0713 20.507 FY 2015 Bridge Program 9,769,641 
MA-90-0735 20.507 Green Line Signal Replacement 485,330 
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Expenditures, 


Federal net of transfers 
catalog July 1, 2015 - 
Grant number number Program description June 30, 2016 
MA-90-0739 20.507 MBTA 2016 Bus Procurement $ 3,199,798 
MA-95-0012 20.507 Assembly Square Project 222 
MA-95-0014 20.507 Locomotive Procurement CMAQ Flex 1,470,162 
MA-95-0022 20.507 Wachusett Extension Project 156,078 
MA-96-0001 20.507 Back Bay Vent/RIDE Vans (ARRA) 363,085 
Total # 20.507 123,129,724 
Total Federal Transit Cluster 256,258,561 
Federal Transit — Public Transportation Research: 
MA-26-0063 20.514 Fairmount/Indigo Line TSCP Program 20,683 
Total # 20.514 20,683 
Passed through the MassDOT: 
MA-57-0023 20.521 Paratransit Taxi Subsidy 26,962 
Total Transit Services Program Cluster 26,962 
Public Transportation Emergency Relief Program: 
MA-44-3002 20.527 MBTA Resiliency Project 1,162,502 
Total # 20.527 1,162,502 
Federal Transit — Transportation Investment Generating Economic Recovery Program: 
MA-78-0002 20.932 Fitchburg Wachusett Ext. Tiger (ARRA) 21,750,369 
Total #20.932 21,750,369 
Federal Railroad Administration: 
Passed through the Comm. Of Massachusetts: 
S10007 20.319 Knowledge Corridor — HSIPR-(ARRA) 10,736,908 
Passed through the NNEPRA: 
90-FRA1 20.319 Downeaster MBTA Track Improvement Project 78,764 
Total #20.319 10,815,672 
National Infrastructure Investments: 
MA-79-0001 20.933 Merrimack River Bridge — TIGER (ARRA) 749,573 
MA-79-0002 20.933 Ruggles Station Improvements — TIGER 10,195,973 
Total # 20.933 10,945,546 
Total U. S. Dept. of Transportation 301,198,844 
U.S. Department of Homeland Security: 
Urban Areas Security Initiatives: 
HSTS02-06-H-MLS110 (J10002) 97.072 TSA Natl. Explosives Canine Prog. 3,360 
HSTS02-10-H-CAN632 (J11002) 97.072 TSA Natl. Explosives Canine Prog. 68,100 
Total #97.072 71,460 
Direct Award: 
EMW2011RA00035 97.075 FY 2011 Transit Security (J11001) 2,109,130 
EMW2012RAKO00015 97.075 FY 2012 Transit Security (J12001) 1,235,596 
EMW2013RA00054 97.075 FY 2013 Transit Security (J13001) 1,063,369 
EMW2014R00055 97.075 FY 2014 Transit Security (J14001) 1,009,203 
Total #97.075 5,417,298 
Total of U. S. Dept. of Homeland Security 5,488,758 


* A subrecipient payment made from this grant equaled $20,631 


See accompanying notes to schedule of expenditures of federal awards. 
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MASSACHUSETTS BAY TRANSPORTATION AUTHORITY 
(A Component Unit of the Massachusetts Department of Transportation) 


Notes to Schedule of Expenditures of Federal Awards 
June 30, 2016 


Definition of the Reporting Entity 


The Massachusetts Bay Transportation Authority (the Authority) is a component unit of the Massachusetts 
Department of Transportation and political subdivision of the Commonwealth of Massachusetts 

(the Commonwealth) formed pursuant to Commonwealth law to, among other things, hold and manage 
mass transportation facilities and equipment, and to enter into agreements for its operation, construction 
and use. 


The U.S. Department of Transportation (DOT) has been designated as the Authority’s cognizant Federal 
agency for the Single Audit. 


Summary of Significant Accounting Policies 
(a) Basis of Presentation 


The accompanying schedule of expenditures of federal awards has been prepared on the cash basis of 
accounting and includes federal expenditures. 


Approved Federal Grant Programs 


The Authority's Federal Transit — Capital Investment Grants and Formula Grants Programs, Public 
Transportation Emergency Relief Program, and the Transportation Investment Generating Economic 
Recovery Program (TIGER) for the year ended June 30, 2016 consisted primarily of capital grants under 
contracts with the Federal Transit Administration (FTA). These grants provide for the acquisition of land 
and equipment, the construction of service extensions, stations, and maintenance facilities, and the 
improvement of facilities and equipment. 


The Authority also received major program funding passed through the Commonwealth of Massachusetts 
from the Federal Railroad Administration (FRA), for the High-Speed Rail Corridors and Intercity passenger 
Rail Service (HSIPR). This program will provide approximately $72.8 million in federal funding for the 
reconstruction of the historic “Knowledge Corridor” rail line between Springfield, Massachusetts and East 
Brookfield, Massachusetts. Through MassDOT, the Authority also received $10.9 million of Federal 
Highway Administration (FHWA) Section 130 funding, also passed through the Commonwealth of 
Massachusetts, to rehabilitate 19 grade crossings along the Knowledge Corridor project. This project will 
allow restoration of Amtrak’s “Vermonter” intercity passenger rail service to a former, more direct route, and 
improve access to densely populated areas along the Connecticut River. Recognizing that the Knowledge 
Corridor project is outside of the Authority service area, a memorandum of agreement was executed with 
MassDOT, to provide for the Authority’s Design and Construction Department's oversight of this 
reconstruction effort. 
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MASSACHUSETTS BAY TRANSPORTATION AUTHORITY 
(A Component Unit of the Massachusetts Department of Transportation) 


Notes to Schedule of Expenditures of Federal Awards 
June 30, 2016 


According to the terms of the FTA contracts, the Authority will be reimbursed from 75% to 100% of the 
allowable project costs as defined in the grant agreement. The terms of those federal grant contracts 
require the Authority to, in part, utilize the equipment and facilities for the purpose specified in the grant 
agreement, maintain these items in operation for a specified time period, which normally approximates the 
useful life of the equipment, and comply with the Equal Opportunity and Affirmative Action programs as 
required by the Moving Ahead for Progress in the 21°‘ Century Act (MAP-21). 


The Authority also received program funding from the U.S. Department of Homeland Security Office for the 
Department of Homeland Security’s Rail and Transit Security Grant Program. 


According to the terms of the Rail and Transit Security grants, the Authority will be reimbursed for 100% of 
the allowable project costs as defined in the grant agreements. These grants provide for the acquisition of 
equipment and other enhancements to the transit system’s security. 


Failure to comply with these terms may jeopardize future funding and require the Authority to refund a 
portion of these grants to their funding agencies. In management's opinion, no events have occurred which 
would result in the termination of these grants or which would require the refund of a significant amount of 
funds received under these grants. 

Subrecipient 

For the year ended June 30, 2016 the Authority provided $20,631 in federal awards to one subrecipient — 
the Dorchester Bay EDC — which constituted 100% of all funds provided by the Authority to subrecipients. 


The subrecipient payments are included in the expenditures for the Federal Transit — Public Transportation 
Research, Technical Assistance and Training Program, CFDA #20.514. 


Indirect Costs 
For the year ended June 30, 2016, the Authority did not elect to use the 10% de minimis indirect cost rate. 


Il-4 


KPMG! 


KPMG LLP 

Two Financial Center 
60 South Street 
Boston, MA 02111 


Exhibit Il 


Independent Auditors’ Report on Internal Control over Financial Reporting and on 
Compliance and Other Matters Based on an Audit of Financial Statements 
Performed in Accordance with Government Auditing Standards 


Fiscal and Management Control Board 
Massachusetts Bay Transportation Authority: 


We have audited, in accordance with the auditing standards generally accepted in the United States of America 
and the standards applicable to financial audits contained in Government Auditing Standards, issued by the 
Comptroller General of the United States, the financial statements of the Massachusetts Bay Transportation 
Authority (the Authority or MBTA), which comprise the statement of net position as of June 30, 2016, and the 
related statement of revenues, expenses and changes in net position and cash flows for the year then ended, 
and the related notes to the financial statements, and have issued our report thereon dated December 15, 
2016. 


Internal Control over Financial Reporting 


In planning and performing our audit of the financial statements, we considered the Authority's internal control 
over financial reporting (internal control) to determine the audit procedures that are appropriate in the 
circumstances for the purpose of expressing our opinion on the financial statements, but not for the purpose of 
expressing an opinion on the effectiveness of the Authority’s internal control. Accordingly, we do not express an 
opinion on the effectiveness of the Authority’s internal control. 


Our consideration of internal control was for the limited purpose described in the preceding paragraph and was 
not designed to identify all deficiencies in internal control that might be material weaknesses or significant 
deficiencies and therefore, material weaknesses or significant deficiencies may exist that were not identified. 
However, as described in the accompanying schedule of findings and questioned costs, we identified certain 
deficiencies in internal control, that we consider to be material weaknesses. A deficiency in internal control 
exists when the design or operation of a control does not allow management or employees, in the normal 
course of performing their assigned functions, to prevent, or detect and correct, misstatements on a timely 
basis. A material weakness is a deficiency, or combination of deficiencies, in internal control, such that there is 
a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, 
or detected and corrected on a timely basis. We consider the deficiencies described in the accompanying 
schedule of findings and questioned costs as Findings 2016-001 and 2016-004 to be material weaknesses. 


Compliance and Other Matters 


As part of obtaining reasonable assurance about whether the Authority’s financial statements are free from 
material misstatement, we performed tests of its compliance with certain provisions of laws, regulations, 
contracts, and grant agreements, noncompliance with which could have a direct and material effect on the 
determination of financial statement amounts. However, providing an opinion on compliance with those 
provisions was not an objective of our audit, and accordingly, we do not express such an opinion. The results of 
our tests disclosed no instances of noncompliance or other matters that are required to be reported under 
Government Auditing Standards. 
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The Authority's Response to the Findings 


The Authority’s responses to the findings identified in our audit are described in the accompanying schedule of 
findings and questioned costs. The Authority’s responses were not subjected to the auditing procedures applied 
in the audit of the financial statements and, accordingly, we express no opinion on the responses. 


Purpose of this Report 


The purpose of this report is solely to describe the scope of our testing of internal control and compliance and 
the results of that testing, and not to provide an opinion on the effectiveness of the Authority’s internal control or 
on compliance. This report is an integral part of an audit performed in accordance with Government Auditing 
Standards in considering the Authority's internal control and compliance. Accordingly, this communication is not 
suitable for any other purpose. 


KPMG LEP 


Boston, Massachusetts 
December 15, 2016 
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MASSACHUSETTS BAY TRANSPORTATION AUTHORITY 
(A Component Unit of the Massachusetts Department of Transportation) 
Schedule of Findings and Questioned Costs 
June 30, 2016 


(1) Summary of Auditors’ Results 


(2) 


(a) 


(b) 


(c 


~ 


(d 


—) 


(f) 
(9) 


(h) 
(i) 


Type of report issued on whether the financial statements were prepared in accordance with generally 
accepted accounting principles: Unmodified 


Internal control deficiencies over financial reporting disclosed by the audit of the financial statements: 


e Material weakness(es): Yes 


e Significant deficiency(ies): None reported 
Noncompliance material to the financial statements: No 
Internal control deficiencies over major programs disclosed by the audit: 


e Material weakness(es): No 


e Significant deficiency(ies): Yes 
Type of report issued on compliance for major programs: Unmodified 
Audit findings that are required to be reported in accordance with 2 CFR 200.516(a): Yes 


Major programs: 


Federal program or cluster CFDA number 
Federal Transit Cluster: 
Federal Transit — State of Good Repair Grants Program 20.525 
Federal Transit — Capital Investment Grants Program 20.500 
Federal Transit — Formula Grants Program 20.507 
Public Transportation Emergency Relief Program 20.527 


Dollar threshold used to distinguish between Type A and Type B programs: $3,000,000 


Auditee qualified as a low-risk auditee: No 


Findings Related to the Financial Statements Reported in Accordance with Government Auditing 
Standards 


Finding 2016-001 — Succession Planning 


Finding 


The MBTA like many other government entities is facing the need to do appropriate succession planning 
for key individuals throughout the organization. The over reliance on certain employees, unexpected 
employee absence or turnover and the ongoing retirement of the baby boomer generation contributes to 
the need to properly prepare and plan for transition. 
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MASSACHUSETTS BAY TRANSPORTATION AUTHORITY 
(A Component Unit of the Massachusetts Department of Transportation) 


Schedule of Findings and Questioned Costs 
June 30, 2016 


During the current year audit, the absence of a key employee greatly impacted the Authority’s internal and 
external financial reporting process and identified the need to ensure that a sufficient number of skilled 
resources following well documented processes are in place to mitigate the impact of relying too heavily on 
a single employee. Additionally, it is unclear how the impending retirement of key employees in the payroll 
and employee benefits area is being addressed to ensure that these important activities continue 
unhindered. 


Over the next decade, as more MBTA employees reach retirement age, the Authority will be faced with a 
tremendous loss of institutional knowledge and possibly significant deficiencies in highly specialized areas 
and functions. As such, management needs to consider the need implement an appropriate personnel 
succession plan throughout the Authority. 


We reported no similar finding in the prior year and no statistically valid sampling was used. 


Recommendation 


We recommend that the Authority consider adopting a formal succession plan. Such a plan, at a minimum, 
should include identifying key personnel, retirement timeline and potential replacements. 


Views of Responsible Officials 


In fiscal year 2017 the Authority will address a formalized succession planning analysis and begin to work 
towards implementation of a comprehensive succession plan. This plan will reach across all entity related 
disciplines, such as transit operations, financial and administrative departments and have the full support of 
the Financial and Management Control Board. The plan will address the succession planning exposure and 
steps needed on an annual basis to remediate each individual opportunity with documented baseline for 
each case. This implementation process will lend itself to a living document which will meet the changing 
needs of the Authority. 


Finding 2016-002 —- Process Documentation 

Finding 

During the current year audit, the unexpected absence of an individual key to the Authority’s external 
financial process exposed a material control weakness in the business processes around the compilation of 


the Authority's external GAAP financial report. Documentation of key business processes is important to 
ensure that performance is consistent especially when temporary or permanent personnel changes occur. 


Additionally, with the recently implemented GASB statements (especially the pension standards) and the 
upcoming implementation of the OPEB standards, the complexity of the Authority's financial accounting 
and reporting responsibilities will continue to increase significantly. Management needs to ensure that the 
process documentation is prepared in conjunction with the implementation of any new standards to help 
ensure the standards are applied consistently each year after implementation. 


We recommend that the Authority add resources in the financial accounting and reporting areas who 
possess the critical skills needed to ensure that the process is documented, managed and executed 
effectively and efficiently. Evaluating the current processes and personnel and supplementing the 
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MASSACHUSETTS BAY TRANSPORTATION AUTHORITY 
(A Component Unit of the Massachusetts Department of Transportation) 


Schedule of Findings and Questioned Costs 
June 30, 2016 


resources in these areas is critical to ensure that all internal and external accounting and reporting duties 
are performed properly. 


A material weakness was noted in the prior year audit in the retirement plan administration area. Due in 
part to the timing of the 2015 audit, this deficiency continued to exist throughout 2016. We have been told 
that the individual most fluent in the retirement plan administration area may be retiring. This situation will 
leave the Authority with a significant hole in an extremely complex area. 


We reported no similar finding in the prior year and no statistically valid sampling was used. 


Recommendation 


We recommend that, to the extent possible, the business processes be documented immediately to 
leverage the extensive knowledge of the individually currently working in this area. Should the knowledge 
not be transferred and a personnel change occur, the Authority will face a significant risk of errors occurring 
and not be detected in a timely fashion. 


Views of Responsible Officials 


The Authority will develop written business process documents for each functional area to address this 
issue. A Summary of individual processes will be developed in a clear concise narrative which will allow 
another staff member to effectively complete the necessary work should cases of extended or short term 
absences or retirement occur. This business process documentation will also be utilized as a training 
device in with a new employee as they join the Authority. 


Finding 2016-003 — Retirement Plans 
Finding 
The MBTA sponsors several retirement plans for its employees including six defined benefit plans and one 


defined contribution plan. 


During fiscal 2015, as a result of a new pronouncement from the Governmental Accounting Standards 
Board (GASB), the Authority was required to record the unfunded plan liability on its balance sheet rather 
than presenting it in the notes to the financial statements. 


As a result of this new standard, a material weakness in internal control was identified and reported as part 
of the June 30, 2015 audit. While management has begun the process of addressing certain portions of the 
control weaknesses, the material weakness in this area continued throughout fiscal 2016. 


Given the lack of process documentation and the potential turnover in the personnel in the employee 
benefits plan area, it is even more important the Authority management develop and implement a solution 
to the issues identified in the June 30, 2015 audit. 


No statistically valid sampling was used. 
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MASSACHUSETTS BAY TRANSPORTATION AUTHORITY 
(A Component Unit of the Massachusetts Department of Transportation) 


Schedule of Findings and Questioned Costs 
June 30, 2016 


Recommendation 


Management continues to implement initiatives around the Authority to improve operations. However, the 
risks associated with control deficiencies in the benefits administration area continue to be high and we 
recommend that correcting these deficiencies quickly be considered a high priority for management and the 
Board. 


Views of Responsible Officials 


The Authority continues to address this issue. An independent contractor has been retained to provide a 
framework and cost estimates for a comprehensive review of the plans that compares administrators in the 
marketplace. The final report will provide a comparison of recordkeeping service platforms, compliance, 
enrollment processing, website, employee education, plan capabilities and sponsorship, as well as cost. 


Finding 2016-004 - Forward Contracts 
Finding 
During the 2016 audit, we noted that, in previous years, the MBTA had entered into numerous forward 


delivery agreements (FDA) with several counterparties. These FDAs related to debt service and debt 
service reserve funds that the MBTA was required to maintain as part of it bond indenture. 


Until 2016, these FDAs had not been identified by management as derivatives under GASB Statement 
No. 53 that are required to be recorded at fair value on the MBTA’s balance sheet. Due to the current 
interest rate environment, the FDAs all had a positive fair value and the MBTA had no exposure on these 
agreements as of June 30, 2016. Rather the MBTA should have recorded an asset of approximately 
$100 million for these FDAs at June 30, 2016. 


Because the MBTA intends to hold these FDAs to maturity, management determined that the recognition of 
the asset was misleading as their value fluctuates with the rise and fall of interest rates and redemption of 
these contracts was unlikely. 


We reported no similar finding in the prior year and no statistically valid sampling was used. 


Recommendation 


We recommend that management continue to value these contracts at least annually to assess whether 
the decision to no recognize them in the balance sheet is still appropriate. As interest rates rise, it is 
possible that these agreements will have a negative fair value which would result in a liability having to be 
recorded. 


Views of Responsible Officials 


The Authority will prepare valuations of all the forward delivery agreements with the assistance of a third 
party at each fiscal year end for assessment of their value, risk and impact on the financial statements. The 
evaluation will facilitate the preparation and fair presentation of the statements in accordance with generally 
accepted accounting principles within a well maintained internal control environment for preparation of 
statements free of material misstatement. 
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(3) Findings and Questioned Costs Relating to Federal Awards 
Reference Number: 2016-005: Payroll Charges 


Federal Program: Federal Transit Cluster CFDA# 20.500, 20.507, 20.525 and 20.526 

Federal Agency: U.S. Department of Transportation 

Federal Award Number and Year: Various 

Pass-through Entity: None 

Statistically Valid Sample: The sample was not intended to be, and was not, a statistically valid sample. 
Repeat Finding: The finding is a repeat finding of 2015-001 


Criteria 


Per 200 CFR 200.303, non-Federal entities receiving Federal awards must establish and maintain effective 
internal controls over Federal awards that provides reasonable assurance that they are managing Federal 
awards in compliance with Federal statutes, regulations and the provisions of contracts or grant 
agreements that could have a material effect on each of its Federal programs. One of the many Authority 
responsibilities includes establishing a system of internal controls in determining activities that are allowed 
or un-allowed. 


Condition 


The Authority uses the PeopleSoft Human Capital Management (HCMS) application in conjunction with the 
Time Keeping System (TKS) to support payroll operations. Both applications are supported by MBTA’s ITD 
group located at 10 Park Plaza in Boston, MA and hosted in a secured data center. 


We conducted a review of general IT controls (GITCs) relative to the HCMS and TKS applications. Our 
testing identified several control-level deficiencies which are described below: 
(a) PeopleSoft HCMS & TKS Change Management Segregation of Duties 

Control Activity 


The ability to perform changes to PeopleSoft HCMS and Time Keeping System in production is 
restricted to authorized IT administration personnel who do not have development responsibilities. 
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Observation 

PeopleSoft HCMS 

We noted six of the ten accounts with the ability to migrate changes to production were deemed 

inappropriate. 

e Four accounts belonged to developers who have the ability to migrate their own changes to 
production. This is a segregation of duties (SOD) issue. 


e One account belonged to a Finance System Administrator, whose level of access to HCMS is not 
commensurate with his/her job responsibilities. 


e One account was a shared service account utilized for batch job changes. While not an exception 
in itself, developers know the password to the account and potentially could use the account to 
migrate changes into production. 

Time Keeping System (TKS) 

Two of the three accounts with administrative access/change migration access to TKS belonged to 

developers who have the ability to migrate changes to production. This is a segregation of duties issue. 

PeopleSoft HCMS & Time Keeping System (TKS) 


While we noted MBTA ITD has a small support organization and limited resources, no compensating 
controls could be identified that would have mitigated the risk that developers could potentially migrate 
changes to production that were not authorized, tested, or approved by the relevant business/process 
owners. 


Additionally, we noted there was an overlap in privileged access capability between those users who 
could develop/migrate changes and those having application administrative responsibilities. 
PeopleSoft HCMS & TKS Change Approval 

Control Activity 

Changes to the PeopleSoft HCMS and Time Keeping System application, database and infrastructure 
are tested and approved prior to migration to production. 

Observation 

PeopleSoft HCMS & Time Keeping System (TKS) 


KPMG inspected a sample of 1 application change (TKS) during the audit period and determined that 
the user who had developed the change had also migrated it into production. Additionally, it was noted 
that the change ticket was dated October 2015 while the change reflected a February 2016 change 
date. 


Furthermore, it was also determined that neither the legacy TKS or the PeopleSoft HCM applications 
have the ability to provide a complete and accurate population of changes made. 
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PeopleSoft HCMS & TKS Application Layer Administrative Access 

Control Activity 

Administrative access to the PeopleSoft HCMS and Time Keeping System applications, including the 
ability to add/remove/modify user accounts and privileges, is restricted to system administrators based 
on their job responsibilities. 

Observation 

PeopleSoft HCMS 


Seven of the fifteen accounts with administrator access were deemed inappropriate. 


e Four accounts belonged to developers. This is a segregation of duties issue. 


e One account belonged to a Finance System Administrator, whose level of access to HCMS is not 
commensurate with his/her job responsibilities. 


e One account was a shared service account utilized for batch job changes. While not an exception 
in itself, the password to the account is known to the developers. 


e The user/owner of one account could not be identified. 


Time Keeping System (TKS) 

Two of the three users identified as having administrator access also have the ability to develop and 
migrate application code into production. 

TKS Database Layer Administrative Access 

Control Activity 

Administrative access to the Time Keeping System database, including the ability to 
add/remove/modify user accounts and privileges, is restricted to database and system administrators 
based on their job responsibilities. 

Observation 

Time Keeping System (TKS) 

Two of the five users identified as having administrative access to the TKS database (DataCom) also 
have the ability to develop and migrate code to production. This is a segregation of duties issue. 
TKS Server Layer Administrative Access 

Control Activity 


Administrative/Privileged access to servers hosting Time Keeping System, including the ability to 
add/remove/modify user accounts and privileges, is restricted to system administrators based on their 
job responsibilities. 
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Observation 

Time Keeping System (TKS) 

Two of the three accounts with administrative access/change migration access to TKS belong to 
developers who have the ability to migrate their own changes to production. This is a segregation of 
duties issue. 

PeopleSoft HCMS TKS and Active Directory (Network) User Access Review 

Control Activity 


Management reviews PeopleSoft HCMS, TKS and Network users and user access rights on a periodic 
basis to determine that only authorized users have access and that access is commensurate with 
employee job responsibilities. Timely follow-up is performed for identified deviations. 

Observation 

PeopleSoft HCMS 


KPMG inquired of management and noted that they have a user access review in place; however, the 
review is not performed at the appropriate level of precision. The reviewer only verifies that accounts 
belong to active employees. The reviewer does not perform a review of the underlying HCMS access 
rights for each ID 

Time Keeping System (TKS) 


Management does not review TKS users and user access rights on a periodic basis. 


Active Directory (Network) 


Management does not review Active Directory users and user access rights on a periodic basis. 


PeopleSoft HCMS & TKS Password Configuration 

Control Activity 

Password parameters for the PeopleSoft HCMS and Time Keeping System applications, databases, 
and servers are configured in compliance with the FMC password policy. 

Observation 

PeopleSoft HCMS Oracle Database 


KPMG determined that the password parameters for the PeopleSoft HCMS Database do not comply 
with password policy. 
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Cause 

The limited size of the IT groups and ITD’s overall burden of support makes service delivery a higher 
priority than governance. 

Effect 


The lack of controls has the potential for a significant impact on the administration of Federal funds as 
payroll changes to individual programs and grants is critical to properly supporting allowable grant 
expenditures. 


Unauthorized and inappropriate changes or access to key financial systems such as HCMS and TKS may 
lead to unauthorized or inaccurate processing, and the misuse or misappropriation of assets. 


Further user access review is a key control over existing employee access to ensure that users only retain 
access that is appropriate. 
Questioned Costs 


None 


Recommendations 

We recommend that MBTA ITD management: 

e review staffing at ITD and takes steps to introduce an appropriate staffing model that better supports 
segregation of duties 


e acquire and introduce a software solution that manages and logs the migration of all software changes 
to production thereby providing a complete, unambiguous and unmodifiable log of all changes that can 
be reviewed for appropriateness by management 


e MBTA business supervisors utilize reports provided by ITD to conduct periodic reviews of user access 
rights for each ID to the PeopleSoft HCMS and TKS applications and the network. 


e Following each review, MBTA business supervisors notify ITD to make any necessary changes to 
employee access or access rights. 


e Ensure that the password configuration for all accounts comply with MBTAs password policy. 


Views of Responsible Officials 
PeopleSoft HCMS 


e All HCMS PeopleSoft production access has been removed for developers and deleted for Finance 
System Administrators. All two tier access will be removed from developers in production. 


e One developer will have the ability to migrate into the production environment in both PS HCMS and 
TKS. 
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e Anew process has been developed. A Helpdesk ticket will be created by developer. The system 
administrator will then migrate on a specific day agreed upon by both IT and Business Owner. 


Time Keeping System (TKS) 


Two individuals share the entire TKS environment, from support, development, and migration. Simply 
stated, because of lack of personnel/resources to divide these functions into a more standardized protocol. 
One individual is also involved with SYSTEMS PROGRAMMING, in concert with On-line Consulting, our 
current systems support group, in getting new systems related software installed and tested. 


As a compensating level of protocol segregation, if one individual needs programs migrated, the other 
individual will migrate them, and if one makes changes, the other individual will migrate them to 
PRODUCTION. Since we can’t have a “single point of failure”, both individuals need to have ADMIN 
access. 


Any changes coming from the USER community are recorded into SERVICE NOW as an INCIDENT. Any 
change that comes in as an enhancement or request for change, is recorded as a TASK Order. These 
assigned numbers are entered into each program module as such, with a brief description of the change, 
and who did the change. The change(s) are tagged with initials followed by MMDD, month and day of the 
change. 


Effective June 1st, IT will be utilizing a new Charge Management System/Process, which will allow better 
tracking, reporting of all changes made to these systems. 
Change Approval 


Many times tickets (or Incidents) are created in one time frame, but the actual change does not go into 
PRODUCTION until a later date, as KPMG points out. This is a result of long test periods, and/or, level of 
difficulty of the change. 


TKS has many limitations due to shelf life and the change control method is limited and difficult to maintain. 
It is strictly a manual ‘logging’ method, and as noted, may not reflect accurate time/date stamps. 


Only recently, have we agreed to use one another to migrate TKS changes to PRODUCTION. The 
June 1st Change control process (SERVICE NOW) will help this process be better represented. 


PeopleSoft HCMS & TKS Password Configuration 


Management believes it has remediated this control deficiency to help ensure that the PeopleSoft HCMS 
Oracle Database password parameters comply with MBTA’s password policy. 
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Reference Number: 2016-006 — Capital Asset Inventory 

Federal Programs: Federal Transit Cluster CFDA# 20.500, 20.507, 20.525 and 20.526 

Federal Agency: U.S. Department of Transportation 

Federal Award Year: Various 

Pass-through Entity: None 

Statistically Valid Sample: The sample was not intended to be, and was not, a statistically valid sample. 
Repeat Finding: No. 

Criteria 

Equipment Management 


FTA Circular C 5010.1D, Chapter IV, 3.k. (4) requires that a physical inventory of equipment must be taken 
and results reconciled with equipment records at least once every two years. Any differences must be 
investigated to determine the cause of the difference. 


Condition 


The Authority has established and implemented an equipment inventory policy. The policy requires that 
Capital Accounting conducts an equipment inventory at each Authority location every two years, with the 
assistance of departmental designees. 


During our equipment testwork, we noted that the required biennial equipment inventory for the period of 
January 1, 2015 through December 31, 2016 was not completed. The latest complete equipment inventory 
was performed for the period of January 1, 2013 through December 31, 2014. 


Cause and Possible Asserted Effect 


The Authority’s policies and procedures to perform a biennial equipment inventory is not designed or 
implemented to ensure that the inventory is completed every two years. 


Questioned Costs 


None 
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Recommendations 


We recommend management strengthen the equipment inventory procedures to help ensure that the 
equipment inventory is completed every two years. 


Views of Responsible Officials: 
The Authority will conduct a complete equipment inventory by December 31, 2017 and fully document all 


results. All records will be updated to reflect any adjustments as a result of the process. Additionally, the 
policies and procedures will updated to ensure the completion of the process being completed biennially. 
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